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(57) Abstract 

A system is provided in which a single postal security device (20, 40, 44) has a secure housing, and within the secure housing are 
two or more accounting register sets (31. 51a, 51b, 51c). Importantly, the two or more accounting register sets (31, 51a, 51b, 51c) are 
associated with distinct meter licenses (32, 52a, 52b, 52c). Alternatively, the single postal security device (20, 40, 44) can store a single 
accounting register set (31, 51a, 51b, 51c), but is able to transfer the register set (31, 51a, 51b, 51c) to a nonsecure store (71) such as the 
hard drive of a personal computer, the register set having been cryptographically signed (72). Later the register set (72) may be retrieved 
from the nonsecure store (71) and cryptographically authenticated, and restored to its location within the secure housing of postal security 
device (20, 40, 44). In this way, the postal security (20, 40, 44) may provide service under more than one distinct meter license (32, 52a, 
52b, 52c). In a related embodiment, a single meter license (32, 52a, 52b, 52c) is associated with more than one postal security device (20, 
40, 44), each with its own secure housing. Each register set (31, 51a, 51b, 51c) is configured to permit being reset (refilled with postage) 
by means of a cryptographically secure exchange of data over a communications channel (23, 25, 30, 41 , 45) to external equipment such 
as a manufacturer's server (24) or a server (26) operated by the post office. 
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WO 99/48053 PCT/US99/05892 
System and method for management of postage meter licenses 

The invention relates generally to postage meters (franking machines), and relates particularly 
to systems in which postage meter licenses are managed in a way that is non-identical to the 
number of associated postal security devices. The application claims priority from US 
5 application no. 60/078,488, filed March 1 8, 1998, which application is incorporated herein by 
reference to the extent permitted by the designated and elected States hereto. 

Background 

It has been well known for many decades to use a postage meter which has within a secure 
housing an accounting means and a printing means. The accounting means includes an 

10 ascending register indicative of postage that has been printed, and typically a piece counter 
indicative of the number of mail pieces that have been printed. In many countries including 
the United States, the accounting means also includes a descending register indicative of the 
amount of postage value available to be printed. The printing means is used to print postage 
indicia on mail pieces, typically by a relief printing die with characteristic fluorescent ink. 

1 5 Such postage meters have worked exceeding well for decades and have proven to be reliable. 
While it is technically possible to print postal indicia for which no money has been paid to the 
post office, such fraud is relatively infrequent because it would be readily detectable through 
physical inspection of the meter for tampering. 

The postage meter saves the postal authority from much of the work of printing, stocking and 
20 selling postage stamps. When postal rates change, the postage meter user can simply print the 
new postal amount, while the stamp user must queue up at the post office to purchase stamps 
in the new denomination. 

In recent years it has been proposed to print postal indicia by means of conventional 
nonsecure printers such as laser printers, ink-jet printers, and thermal transfer printers. Such 
25 printers are termed "nonsecure" because the printer itself is not in a secure housing and 
because the communications channel linking the printer to other apparatus is nonsecure. 
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Under such a proposal, the question naturally arises what would prevent a user from printing 
the same postal indicium repeatedly, thereby priming postal indicia for which no money has" 
been paid to the post office. The proposed anti-fraud measure is to store information within 
the indicia which would permit detecting fraud. The indicium would include not only 
human-readable text such as a date and a postage amount, but would also include machine- 
readable information, for example by means of a two-dimensional bar code. The machine- 
readable information would be cryptographically signed, and would include within it some 
information intended to make fraud more difficult. The information would typically include 
an identification of the postage meter license (granted by the meter manufacturer or by the 
postal authorities, depending on the country), an indication of the number of mail pieces 
franked, the postage amount, a postal security device identifier about which more will be said 
later, the date and time, and a zip code or post code of the mail piece addressee. 

There are, of course, many potential drawbacks to such an approach for printing of postal 
indicia. A user who intends to defraud the postal service might use a bar-code reader to read 
the contents of the indicium. (This capability illustrates the pointlessness of trying to give 
physical security to the printing means or of the communications channel by which the 
printing means is controlled.) The contents of the bar code could be used to print identical or 
nearly identical indicia, perhaps at a geographic distance. It would then fall to the postal 
service to perform an analysis on all or nearly all of the indicia scanned on a particular day, to 
20 try to identify duplicates. 

Yet another drawback is that it is commonplace for a mail piece to get smudged on the way to 
the post office or within the post office, prior to the authentication scanning by the post 
office. If the post office is unable to read the bar code, the post office has to decide whether 
to return the mail piece to the sender, or risk delivering a mail piece bearing a counterfeit 

25 indicium. 

The typical apparatus for printing such "encrypted indicia" postage includes what is called a 
postal security device or PSD. The PSD has a secure housing, and within the secure housing 
are the accounting registers as well as a cryptographic engine. The engine permits 
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cryptographic authentication and signing for communication with an external device such as 
the computer of the meter manufacturer or of the post office. The engine also permits 
creation of postal indicia which contain specified information and which are 
cryptographically signed. The PSD may well be physically small as compared to traditional 
5 postage meters. The PSD may be the size of a PCMCIA card or the size of a smart card. 

Within the PSD the memory must be protected against unadvertent damage due to 
malfunction of the processor of the PSD, for example as set forth in US Pat. No. 5668973, 
Protection system for critical memory information owned by the same assignee as the 
assignee of the present application. The PSD must handle power failure in a graceful fashion, 
1 0 for example as set forth in US Pat. No. 57 1 2542, Postage meter with improved handling of 
power failure, also owned by the same assignee as the assignee of the present application. 

To reduce smudging, the printer may preferably be that described in PCT publication ho. 
97-46389, Printing apparatus, also owned by the same assignee as the assignee of the present 
application. While it has been proposed that the PSD contain a real-time clock which is 

15 keeping time continuously, desirably this requirement may be avoided as described in PCT 
publication no. 98-08325, Printing postage with cryptographic clocking security, also owned 
by the same assignee as the assignee of the present application. PSDs can form part of a 
network with multiple printers as described in PCT publication no. 98-13790, Proof of 
postage digital franking, also owned by the same assignee as the assignee of the present 

20 application. 

The PSD in proposed systems contains the ascending and (optional depending on country) 
descending registers, the piece counter, and a "meter license number". The meter license 
number represents a legal license granted by the postal authority which permits operation of 
the PSD and the associated printing of postage indicia. It is assumed that the PSD also has a 
25 unique identifying number stored within the PSD, but this number is expected to be non- 
identical to the meter license number. For example, if a PSD were to require service, the PSD 
manufacturer may take one PSD out of service for a particular customer and place another 
PSD into service for that particular customer, and yet the meter license number (which 
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pertains to the customer) may remain the same. 

It would be advantageous to have a system with great flexibility to accommodate a number of 
users, or to accommodate the use of several PSDs per user, yet the proposed PSD 
arrangements are inflexible. 

Summary of the Invention 

A system is provided in which . sillgle ^ ^ ^ ^ , ^ ^ ^ 

.hasecurehousingare.woormoreaccounUng^.erse^. Importantly, the two or more 
accounting register se ts are associated with distinct meter hcenses. Alternatively, the sing.e 
posta, security device can store a single accounting tester se, bu, is able to transfer the 

set «o a nonsecure store such as the hard drive of a personal computer, the register se, 
havtng been cryptographically signed. L.ter the register set may be retrieved from the 
nonsecure store and cryptographically authenticated, and restored to its iocation within the 
secure housing. In this way, the posta, security device may provide service under more than 
one dtstmc. meter ,ice„se. In a retated embodiment, a singie meter license is associated with 
more than one postal security device, each with its own secure housing. Each registers* ,s 
configured to permit being reset (refined with postage, by means of a cryptographic*!,, 
secure exchange of data over a communications channel to externa, equipment such as a 
manufacturer's server or a server operated by the post office. 

Description of the drawing 

Rg. 1 shows in functional block diagram form a prior art PSD system; 

Rg. 2 shows in functional block diagram form a portion of a prior ar, PSD system; 
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Fig. 3 shows in functional block diagram form a PSD system according to an embodiment of 
the invention; 

Fig. 4 shows in a data flow diagram the steps associated with obtaining an additional meter 
license with a PSD in accordance with an embodiment of the invention; and 

5 Fig. 5 shows in functional block diagram form a PSD according to another embodiment of the 
invention. 

Detailed description 

Turning now to Fig. 1, there is shown in functional block diagram form a prior art PSD 
system. A postal security device (PSD) 20 is connected with a user system 21, typically a 

10 person computer or workstation. Connected directly or through a local area network is a 
printer 22 on which postal indicia are printed. The user system 21 is communicatively 
coupled with a manufacturer's system 24, which in turn is communicatively coupled with the 
postal authority 26. The communicative links 23 and 25 are preferably TCP/IP links via the 
Internet, but may optionally be other links such as dialup modem access lines or dedicated 

15 data lines. 

The PSD 20 contains postage value, embodied in the contents of the descending register (item 
33 in Fig. 2). In response to a request from the user via the computer 21, the PSD 20 
generates an "encrypted indicium", that is, a print image containing cryptographically signed 
information, to be printed by means of printer 22 onto an envelope or post card or postage 

20 label. The image includes human-readable information as well as computer-readable 

information in bar code form. If the user wishes to "refill" or "reset" the postage meter, this 
is done by means of a cryptographically secure exchange between the PSD 20 and the 
manufacturer's system 24. Depending on the requirements of the postal authority, the 
resetting may also include an exchange with the postal authority's system 26. When the 

25 postal indicium is generated, the descending register is decremented accordingly, the 

ascending register is decremented accordingly, and the piece count is incremented. The 
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indicium typically includes , in cryptographjca]ly sjgned of fonn _ to ^ ^ 

number, a unique number identifying me PSD, me da«e and time, the contents of «he 
accounting mi ot „ er jnfonnatjon to ^ ^ . ndicjum ^ ^ ^ ^ 

or Z,p a* of ,he mai, pieee addressee. ,, wi.1 be appreciated ma, in some countries mere is 
no descending register and the payment by the user is based instead on the changing value of 
.he ascending register. The teachings of the invention may be app.ied equally „ei. to systems 
■n countries .ha. use a descending register and in countries mat do no, use a descending 

register. to 

Ft 2 shows i„ functional block diagram form a portion of a prior art PSD system. The PSD 

20 has a communications channel 30 which permi,s data exchanges with me user's confer 

to. 2 1 .„ F,g. , > and with the manufacturer's system 24. The PSD 20 contains a register se, 

3U whtch tnclude a me,er license number 32, an ascending register 33, a descending register 

34, and a ptece counter 35. The PSD typically contains a cryptographic engine, a 

clocltfcalendar, a microprocessor, RAM, nonvolatile RAM, ROM, and a bauery, all omitted 
forclanty i„ Fi g. 2 . PSD ^ . ^ ^ ^ ^ 

■mposstble. The PSD 20 communicates with a primer 22 for printing postage indicia. 

Hg. 3 shows in functional block diagram form a PSD system according to an embodiment of 
the mvenuon. Chained within the PSD 40 are two or more register sets 51a, b, c. Each 
contains a meter license number 52a, b, c, an ascending register 53a, b, c, a descending 
renter 54a, b, c, and a piece counter 55a. b, c. In response to user selections, the PSD 40 can 
pnn, postage with respect ,„ any „ ne of ,he regis K r seu, and can reset (refill, any one of me 
register sets. 

Described di,fe re „ U y, wha, is shown is a franking sysfcm comprising a prinfcr 22, 
secunty device 40 communicatively couple* wi,h the printer 22. and a communications 
channel 4. coupled with the postal security device 40 ,o apparatus externa, ,o ,he printer 22 

houstng, ,he postal security device 40 containing within me secure housing a finst register se, 
51a comprising information indicative of a firs, license number 52a, a fa, ascending tegister 
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53a, and a first piece counter 55a, the postal security device 40 further containing within the 
secure housing a second register set 51b comprising information indicative of a second 
license number 52b, a second ascending register 53b, and a second piece counter 55b, each of 
the ascending registers 53a, b indicative of postage printed in connection with the respective 
license number 52a, b, each of the piece counters 55a, b indicative of a number of mail pieces 
franked in connection with the respective license number 52a, b; the postal security device 40 
further comprising a franking means responsive to a user request for the printing of a postage 
indicium in a particular value in connection with a particular license number 52a, b by 
incrementing the ascending register 53a, b in the particular value, by incrementing the piece 
counter 55a, b, and by creating a cryptographically authenticated indicium based in part on 
the license number 52a, b and the particular value for printing on the printer 22; each register 
set 5 1 a, b disposed to be reset by means of a cryptographically secure exchange over the 
communications channel 41, the cryptographically secure exchange including transmission of 
information indicative of the license number 52a, b associated with the each register set 51a, 
b. 

A company may have several individuals who generate mail, in particular with PC-based 
word processing programs. These individuals may be located in different geographic 
locations. Often it is desired to enter mail at a particular post office as it may speed delivery 
of that mail to the recipient or recipients. Under the requirements and constraints of the 
traditional postage metering environment, a company might have to license multiple postage 
meters for multiple users and for multiple mail entry points. With the system according to the 
invention, however, a single PSD may be able to serve multiple users. 

It is assumed that each meter license number has associated with it a particular town in which 
its mail is to be deposited. (This is important to give revenue credit to each town's post office 
in keeping with the mail deposited therein.) Thus, implied by a particular license is the 
digitally printed equivalent of the "town die" in a tradition postage meter which indicates the 
town in which mail is to be deposited. The PSD according to the invention, accommodating 
more than one license, can enable the user to generate franked mail for deposit in more than 
one town. 
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The postal service may require that the PSD generates a new public/private key pair for 
s.gnmg indicia for each new or additional meter license from the postal authority. In such a 
case, the private key must of course be securely stored within the PSD. The public key is 
signed by a certificate authority and is stored in the host system along with the signed meter 

licenses. 



F,g. 4 shows in a data flow diagram the steps associated with obtaining an additional meter 
Itcense with a PSD in accordance with an embodiment of the invention. The user requests the 
ucense on the user host system (21 tnFig. I)ins,ep60. The user host system 21 forwards 
*e request to the postal security device 40 (in Fig. 4) which prepares a license request 
message i„ step 6! The PSD 40 cryptographically signs the message in step 62 and sends the 
request back to the user host system 21 which forwards the request to the manufacturer 
system 24 (Fig. , ,. The a„„; acturer svstem 24 verifies ^ or . gjn rf ^ ^ ^ 

the signature (block 63) from the PSD 40. The request is men forwarded to the postal " 
authority system 26 (Fig. ■) i„ step 64. 1, should be noted tha, the communications links 23 
25 may be secured, bu, preferably no security assumption is made about the links 23, 25 and' 
mstead cryptographic measures (such as signatures) are employed. After evaluation of the 
request, the postal authority system 26 issues a meter license number and grants the requested 
hcense in step 65, typically adding its own digital signature to the license The 
manufacturer's system 24 (Fig. 1) verif.es the validity of the license and adds its own digital 
stgnature (step 66) and passes the license along to the postage meter (i.e. the PSD 40 in Fi. 
3). The PSD 40 establishes accounting registers to correspond to the license, and is able to 
generate postal indicia in connection with the license. 

Described in a different way, a franking system includes a PSD which contains within its 
secure housmg a means responsive to a cryptographically authenticated authorisation 
rece.ved on the communications channel forcreadng within the secure housing a second 
regtster set comprising information indicative of a second license number, a second ascendin* 
regtster, and a second piece counter, each of the ascending registers indicative of postage 
printed ,„ connection with the respective license number, each of the piece counters 
md.cafve of a number of mail pieces franked in connection with the respective license 
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number. The PSD further comprises a franking means responsive to a user request for the 
printing of a postage indicium in a particular value in connection with a particular license 
number by incrementing the ascending register in the particular value, by incrementing the 
piece counter, and by creating a cryptographically authenticated indicium based in part on the 
5 license number and the particular value for printing on the printer. Each register set is able to 
be reset by means of a cryptographically secure exchange over the communications channel, 
the cryptographically secure exchange including transmission of information indicative of the 
license number associated with the register set. 

The method of adding a register set responds to a user request for a second register set. A 
10 license request message is prepared and cryptographically signed (blocks 60, 61, 62), the 

signed license request message is communicated on the communications channel, a response 
is received on the communications channel and is cryptographically authenticated (block 67). 
A second register set comprising information indicative of a second license number, a second 
ascending register, and a second piece counter is created within the PSD 40. 

1 5 It may happen that the PSD 44 (Fig. 5) lacks sufficient free memory to accommodate the 
desired number of register sets. For that reason, or for some other reason, the invention 
contemplates a different approach. A particular register set 51a is cryptographically signed 
and/or encrypted, and is stored 72 on external nonsecure storage 71, such as the hard disk of 
the user computer 21 (Fig. 1), or other mass storage. If at a later time the user wishes to use 

20 that license, the user host system 21 can transmit the signed register set 5 la from the storage 
71 back to the PSD 44. The PSD 44 typically also confirms the authenticity of the signatures 
previously supplied by the manufacturer and the postal authority before accepting the register 
set 51a for the printing of postage. 

Stated differently, there is contained within the secure housing a means responsive to a first 
25 user request for cryptographically signing the register set 5 1 a and copying the 

cryptographically signed register set 5 1 a via the communications channel 45 to external 
apparatus 71. Later the register set 72 is retrieved from the external apparatus 71 and is 
cryptographically authenticated. The register set 51a thus retrieved is available for printing of 
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postage on the printer 22, and for resetting via the corrmiunications channel 45. 

Another embodiment of the invention directs itself to the problem of a single business entity 
wh.cn may „«* l0 be ab.e to prim postage a. multiple locations despite having „ 0 need for 
more man one meter license. In such a system, there is more than one PSD 20, 40 44 each 
5 w«h its own PSD uniaue identifier. But, according to the invention, the same license number 
maybestoredimotheregistersetofeachofthePSDs. This does not pose a risk of fraud 
because according to the invention the PSD unique identifier is communicated in the postal 
.nd,cia along with the license number. ., is assumed, as mentioned eariier, that the post office 
. scans and authenticates every indicium anyway. Thus it is merely a data processing task to 
check the indicia printed to see mat they add up properly to match the funds paid in 
connection with the license, or to „ tha, they correspond as expected with the pardcular 
PSDs mvolve*. If experience shows the scanning and authenticating of every postal indicium 
to be an unworkable task, then mis is a reason ,„ reconsider the use of encrypted indicia bn, 
does not contraindicate the use of the method according to the invention. 

15 This embodiment of the invention is convenient in several ways'. Users may wish to use this 
feature to employ more man one PSD ,„ generate indicia for deposit at the same post office 
Thus ,f one PSD is unavailable or low on funds, a second device can be selected to generate 
indicia. 
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Those skilled in the art will have no difficulty devising obvious enhancements and variations 
on the invention, all of which are to be encompassed by the claims which follow. 
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Claims 
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1. A franking system eo^, a ^ a ^ securjty devjce con]mun . cat . veiy 
w.th ,he printer, and a communications channel coupleO with the posta. security device «„ 
apparatus externa, to the printer and externa, to the posta, security device, the postal security 
dev.ce comprising a secure housing, the posta, security device containing within the secure 
hous.ng a first register se, comprising information indicative of a first license number, a firs, 
ascending register, and a firs, piece counter, the posta, security device further containing 
w.thm ,„e secure housing a second register se, comprising information indicative of a second 
hcense number, a second ascending register, and a second piece counter, each of the 
ascending registers indicative of postage printed in connection with the respective license 

number, each of the piece counters indicative of a number of mail pieces franked in 
connection „i,h tire respective Hcense number; the posta, security device further comprising a 
fankmg means responsive u, a user request for the printing of a postage indicium in a 
particular value in connection with a particular hcense number by incrementing the ascending 
regtster ,„ the particu.ar value, by incrementing the piece counter, and by creatin. a 
cryptographically authenticated indicium based in part on the license number arJthe 
partic„,ar value for printing on , he printer, each register se, disposed to be reset by means of a 
cryptographically secure exchange over the communications channe,, the cryptographically 
secure exchange mcluding transmission of information indicative of the hcense number 
■M associated with the each register set. 

2. A franking system comprising a printer, a posta, security device communicatively coupled 
w..h the printer, and a communications channe, coupied with the posta, security device to 

dev.ce comprising a secure housing, the postal securi.y device coniaining wi,hi„ the secure 
housmg a firs, register se, comprising information indicative of a firs, hcense number, a firs, 
ascending register, and a firs, piece counter, the posta, security device further containing 
wtiun the secure housing a means responsive ,„ a cryptographically authenticated 
authortzation received on the communications channel for creating within the secure housing 
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a second register set comprising information indicative of a second license number, a second 
ascendmg register, and a second piece counter, each of the ascending registers indicative of 
postage printed in connection with the respective license number, each of the piece counters 
md.cative of a number of mail pieces franked in connection with the respective license 
number; the postal security device further comprising a franking means responsive to a user 
request for the printing of a postage indicium in a particular value in connection with a 
particular license number by incrementing the ascending register in the particular value, by 
incrementing the piece counter, and by creating a cryptographically authenticated indicium 
based m part on the license number and the particular value for printing on the printer; each 
register set disposed to be reset by means of a cryptographically secure exchange over the 
communications channel, the cryptographically secure exchange including transmission of 
information indicative of the license number associated with the each register set. 

3. A method for use with a franking system comprising a printer, a postal security device 
commumcatively coupled with the printer, and a communications channel coupled with the 
postal security device to apparatus external to the printer and external to the postal security 
dev 1C e, the postal security device comprising a secure housing, the postal security device 
contammg within the secure housing a first register set comprising information indicative of a 
first hcense number, a first ascending register, and a first piece counter, the ascending register 
indicative of postage printed in connection with the respective license number, the piece 
counter indicative of a number of mail pieces franked in connection with the respective 
hcense number; the postal security device further comprising a franking means responsive to 
a user request for the printing of a postage indicium in a particular value in connection with a 
particular license number by incrementing the ascending register in the particular value, by 
mcremenung the piece counter, and by creating a cryptographically authenticated indicium 
based „, part on the license number and the particular value for printing on the printer, the 
method comprising the steps of: 

in response to a user request for a second register set, preparing a license request message 
cryptographically signing the license request message, communicating the signed license 
request message on the communications channel, receiving a response on the 
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communications channel, cryptographically authenticating the response, and creating within 
the secure housing a second register set comprising information indicative of a second license 
number, a second ascending register, and a second piece counter. 

4. A franking system comprising a printer, a postal security device communicatively coupled 
5 with the printer, and a communications channel coupled with the postal security device to 

apparatus external to the printer and external to the postal security device, the postal security 
device comprising a secure housing, the postal security device containing within the secure 
housing a storage area capable of storing a register set comprising information indicative of a 
license number, an ascending register, and a piece counter, the postal security device further 
10 containing within the secure housing a means responsive to a first user request for 

cryptographically signing the register set and copying the cryptographically signed register set 
via the communications channel to external apparatus; the postal security device further 
containing within the secure housing a means responsive to a second user request for 
retrieving from external apparatus the register set and for cryptographically authenticating the 
15 register set, and for storing the register sent within the storage area; the ascending register 
indicative of postage printed in connection with the respective license number, the piece 
counter indicative of a number of mail pieces franked in connection with the respective 
license number; the postal security device further comprising a franking means responsive to 
a user request for the printing of a postage indicium in a particular value in connection with a 
20 particular license number by incrementing the ascending register in the particular value, by 
incrementing the piece counter, and by creating a cryptographically authenticated indicium 
based in part on the license number and the particular value for printing on the printer; the 
register set disposed to be reset by means of a cryptographically secure exchange over the 
communications channel, the cryptographically secure exchange including transmission of 
25 information indicative of the license number associated with the register set. 

5. A method for use with a franking system, the system comprising a printer, a postal security 
device communicatively coupled with the printer, and a communications channel coupled 
with the postal security device to apparatus external to the printer and external to the postal 
security device, the postal security device comprising a secure housing, the postal security 
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device containing within the secure housing a storage area capable of storing a register set 
comprising information indicative of a license number, an ascending register, and a piece 
counter, the postal security device further containing within the secure housing a means 
responsive to a user request for cryptographically signing the register set and copying the 
5 cryptographically signed register set via the communications channel to external apparatus; 

the postal security device further containing within the secure housing a means responsive for 
retrieving from external apparatus the register set and for cryptographically authenticating the 
register set, and for storing the register sent within the storage area; the ascending register 
indicative of postage printed in connection with the respective license number, the piece 
10 counter indicative of a number of mail pieces franked in connection with the respective 

license number; the postal security device further comprising a franking means responsive to 
a user request for the printing of a postage indicium in a particular value in connection with a 
particular license number by incrementing the ascending register in the particular value, by 
incrementing the piece counter, and by creating a cryptographically authenticated indicium 
based in part on the license number and the particular value for printing on the printer; the 
method comprising the steps of responding to a first user request for cryptographically 
signing the register set and copying the cryptographically signed register set via the 
communications channel to external apparatus; responding to a second user request by 
retrieving from external apparatus the register set and cryptographically authenticating the 
register set, and storing the register sent within the storage area. 
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6. A franking system comprising a first printer and a second printer, a first postal security 
device having a first identifier, said first postal security device communicatively coupled with 
the first printer, and a first communications channel coupled with the first postal security 
device to apparatus external to the first printer and external to the first postal security device, 
25 the first postal security device comprising a first secure housing, the first postal security 

device containing within the first secure housing a first register set comprising information 
indicative of a first license number, a first ascending register, and a first piece counter; the 
system further comprising a second postal security device having a second identifier, said 
second postal security device communicatively coupled with the second printer, and a second 
communications channel coupled with the second postal security device to apparatus external 
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to the second printer and external to the second postal security device, said second postal 
security device comprising a second secure housing, the second postal security device 
containing within the second secure housing a second register set comprising information 
indicative of the first license number, a second ascending register, and a second piece 
5 counter; each of the ascending registers indicati ve of postage printed in connection with the 
respective postal security device, each of the piece counters indicative of a number of mail 
pieces franked in connection with the respective postal security device; each postal security 
device further comprising a franking means responsive to a user request for the printing of a 
postage indicium in a particular value by incrementing the ascending register in the particular 

1 0 value, by incrementing the piece counter, and by creating a cryptographically authenticated 
indicium based in part on the respective postal security device identifier and the particular 
value for printing on the printer; each register set disposed to be reset by means of a 
cryptographically secure exchange over the communications channel, the cryptographically 
secure exchange including transmission of information indicative of the license number 

15 associated with the each register set. 

7. The franking system of claim 6 wherein the first and second printers comprise a single 
printer. 
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